// @(#)01 1.2 src/tcpip/usr/samples/tcpip/named.conf, tcpnaming, tcpip720 8/18/97 13:41:11 // IBM_PROLOG_BEGIN_TAG // This is an automatically generated prolog. // // tcpip720 src/tcpip/usr/samples/tcpip/named.conf 1.2 // // Licensed Materials - Property of IBM // // Restricted Materials of IBM // // COPYRIGHT International Business Machines Corp. 1997 // All Rights Reserved // // US Government Users Restricted Rights - Use, duplication or // disclosure restricted by GSA ADP Schedule Contract with IBM Corp. // // IBM_PROLOG_END_TAG // // RISC System/6000 is a trademark of International Business Machines // Corporation. // // // Copyright (c) 1986 // The Regents of the University of California. All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // 1. Redistributions of source code must retain the above copyright // notice, this list of conditions and the following disclaimer. // 2. Redistributions in binary form must reproduce the above copyright // notice, this list of conditions and the following disclaimer in the // documentation and/or other materials provided with the distribution. // 3. All advertising materials mentioning features or use of this software // must display the following acknowledgement: // This product includes software developed by the University of // California, Berkeley and its contributors. // 4. Neither the name of the University nor the names of its contributors // may be used to endorse or promote products derived from this software // without specific prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND // ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE // ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS // OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY // OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF // SUCH DAMAGE. // // // Portions Copyright (c) 1993 by Digital Equipment Corporation. // // Permission to use, copy, modify, and distribute this software for any // purpose with or without fee is hereby granted, provided that the above // copyright notice and this permission notice appear in all copies, and that // the name of Digital Equipment Corporation not be used in advertising or // publicity pertaining to distribution of the document or software without // specific, written prior permission. // // THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL // WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES // OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT // CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL // DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR // PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS // ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS // SOFTWARE. // // Portions Copyright (c) 1996, 1997 by Internet Software Consortium. // // Permission to use, copy, modify, and distribute this software for any // purpose with or without fee is hereby granted, provided that the above // copyright notice and this permission notice appear in all copies. // // THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS // ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES // OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE // CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL // DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR // PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS // ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS // SOFTWARE. // // /etc/named.conf // // boot file for name server // // Look in /usr/samples/tcpip for hosts.awk to create named.data // from the /etc/hosts file, this can be done with the following command: // cd /usr/samples/tcpip // hosts.awk /etc/hosts > /etc/named.data // // Also you will find addrs.awk in the same directory which will create // named.rev from /etc/hosts, this can be done with the command: // cd /usr/samples/tcpip // addrs.awk /etc/hosts > /etc/named.rev // // You don't need to use the /etc/hosts file. Any file could be used to // supply the input provided it follows the same format as /etc/hosts. // // BEFORE doing these you should edit this file first and provide your // domain entries. // // NOTE: This file is used for named8. The file, /usr/sbin/named, is a link // to /usr/sbin/named4 or /usr/sbin/named8. /* * This is a nonrunnable example of a named.conf file that has * every conceivable syntax element in use. It is used to test the parser. * It could also be used as a conceptual template for users. */ /* * C-style comments are OK */ // So are C++-style comments # So are shell-style comments // watch out for ";" -- it's important! options { directory "."; // use current directory named-xfer "/usr/libexec/named-xfer"; // _PATH_XFER dump-file "named_dump.db"; // _PATH_DUMPFILE pid-file "/var/run/named.pid"; // _PATH_PIDFILE statistics-file "named.stats"; // _PATH_STATS check-names master fail; check-names slave warn; check-names response ignore; datasize default; stacksize default; coresize default; files unlimited; recursion yes; fetch-glue yes; fake-iquery no; notify yes; // send NOTIFY messages. You can set // notify on a zone-by-zone // basis in the "zone" statement // see (below) auth-nxdomain yes; // always set AA on NXDOMAIN. // don't set this to 'no' unless // you know what you're doing -- older // servers won't like it. multiple-cnames no; // if yes, then a name my have more // than one CNAME RR. This use // is non-standard and is not // recommended, but it is available // because previous releases supported // it and it was used by large sites // for load balancing. allow-query { any; }; allow-transfer { any; }; transfers-in 10; // DEFAULT_XFERS_RUNNING, cannot be // set > than MAX_XFERS_RUNNING (20) transfers-per-ns 2; // DEFAULT_XFERS_PER_NS transfers-out 0; // not implemented max-transfer-time-in 120; // MAX_XFER_TIME; the default number // of minutes an inbound zone transfer // may run. May be set on a per-zone // basis. /* * The "transfer-format" option specifies the way outbound zone * transfers (i.e. from us to them) are formatted. Two values are * allowed: * * one-answer Each RR gets its own DNS message. * This format is not very efficient, * but is widely understood. All * versions of BIND prior to 8.1 generate * this format for outbound zone * and require it on inbound transfers. * * many-answers As many RRs as will fit are put into * each DNS message. This format is * the most efficient, but is only known * to work with BIND 8. Patches to * BIND 4.9.5 named-xfer that enable it * to understand 'many-answers' will be * available. * * If you are going to be doing zone transfers to older servers, you * shouldn't use 'many-answers'. 'transfer-format' may also be set * on a host-by-host basis using the 'server' statement (see below). */ transfer-format one-answer; query-source address * port *; /* * The "forward" option is only meaningful if you've defined * forwarders. "first" gives the normal BIND * forwarding behavior, i.e. ask the forwarders first, and if that * doesn't work then do the full lookup. You can also say * "forward only;" which is what used to be specified with * "slave" or "options forward-only". "only" will never attempt * a full lookup; only the forwarders will be used. */ forward first; forwarders { }; // default is no forwarders /* * Here's a forwarders example that isn't trivial */ /* forwarders { 1.2.3.4; 5.6.7.8; }; */ topology { localhost; localnets; }; // prefer local nameservers /* * Here's a more complicated topology example; it's commented out * because only one topology block is allowed. * topology { 10/8; // prefer network 10.0.0.0 // netmask 255.0.0.0 most !1.2.3/24; // don't like 1.2.3.0 netmask // 255.255.255.0 at all { 1.2/16; 3/8; }; // like 1.2.0.0 netmask 255.255.0.0 // and 3.0.0.0 netmask 255.0.0.0 // equally well, but less than 10/8 }; */ listen-on port 53 { any; }; // listen for queries on port 53 on // any interface on the system // (i.e. all interfaces). The // "port 53" is optional; if you // don't specify a port, port 53 // is assumed. /* * Multiple listen-on statements are allowed. Here's a more * complicated example: */ /* listen-on { 5.6.7.8; }; // listen on port 53 on interface // 5.6.7.8 listen-on port 1234 { // listen on port 1234 on any !1.2.3.4; // interface on network 1.2.3 1.2.3/24; // netmask 255.255.255.0, except for }; // interface 1.2.3.4. */ /* * Interval Timers */ clean-interval 60; // clean the cache of expired RRs // every 'clean-interval' minutes interface-interval 60; // scan for new or deleted interfaces // every 'interface-interval' minutes statistics-interval 60; // log statistics every // 'statistics-interval' minutes }; zone "master.demo.zone" { type master; // what used to be called "primary" file "master.demo.zone"; check-names fail; allow-update { none; }; allow-transfer { any; }; allow-query { any; }; // notify yes; // send NOTIFY messages for this // zone? The global option is used // if "notify" is not specified // here. also-notify { }; // don't notify any nameservers other // than those on the NS list for this // zone }; zone "slave.demo.zone" { type slave; // what used to be called "secondary" file "slave.demo.zone"; masters { 1.2.3.4; // where to zone transfer from 5.6.7.8; }; check-names warn; allow-update { none; }; allow-transfer { any; }; allow-query { any; }; max-transfer-time-in 120; // if not set, global option is used. also-notify { }; // don't notify any nameservers other // than those on the NS list for this // zone }; zone "stub.demo.zone" { type stub; // stub zones are like slave zones, // except that only the NS records // are transferred. file "stub.demo.zone"; masters { 1.2.3.4; // where to zone transfer from 5.6.7.8; }; check-names warn; allow-update { none; }; allow-transfer { any; }; allow-query { any; }; max-transfer-time-in 120; // if not set, global option is used. }; zone "." { type hint; // used to be specified w/ "cache" file "cache.db"; }; acl can_query { !1.2.3/24; any; }; // network 1.2.3.0 mask 255.255.255.0 // is disallowed; rest are OK acl can_axfr { 1.2.3.4; can_query; }; // host 1.2.3.4 and any host allowed // by can_query are OK zone "non-default-acl.demo.zone" { type master; file "foo"; allow-query { can_query; }; allow-transfer { can_axfr; }; allow-update { 1.2.3.4; 5.6.7.8; }; }; key sample_key { // for TSIG; supported by parser algorithm hmac-md5; // but not yet implemented in the secret "your secret here"; // rest of the server }; key key2 { algorithm hmac-md5; secret "ereh terces rouy"; }; server 1.2.3.4 { bogus no; // if yes, we won't query or listen // to this server transfer-format one-answer; // set transfer format for this // server (see the description of // 'transfer-format' above) // if not specified, the global option // will be used transfers 0; // not implemented keys { sample_key; key2; }; // for TSIG; supported by the parser // but not yet implemented in the // rest of the server }; logging { /* * All log output goes to one or more "channels"; you can make as * many of them as you want. */ channel syslog_errors { // this channel will send errors or syslog user; // or worse to syslog (user facility) severity error; }; /* * Channels have a severity level. Messages at severity levels * greater than or equal to the channel's level will be logged on * the channel. In order of decreasing severity, the levels are: * * critical a fatal error * error * warning * notice a normal, but significant event * info an informational message * debug 1 the least detailed debugging info * ... * debug 99 the most detailed debugging info */ /* * Here are the built-in channels: * * channel default_syslog { * syslog daemon; * severity info; * }; * * channel default_debug { * file "named.run"; * severity dynamic; // this means log debugging * // at whatever debugging level * // the server is at, and don't * // log anything if not * // debugging * }; * * channel null { // this is the bit bucket; * file "/dev/null" // any logging to this channel * // is discarded. * }; * * channel default_stderr { // writes to stderr * file ""; // this is illustrative only; * // there's currently no way * // of saying "stderr" in the * // configuration language. * // i.e. don't try this at home. * severity info; * }; * * default_stderr only works before the server daemonizes (i.e. * during initial startup) or when it is running in foreground * mode (-f command line option). */ /* * There are many categories, so you can send the logs * you want to see wherever you want, without seeing logs you * don't want. Right now the categories are * * default the catch-all. many things still * aren't classified into categories, and * they all end up here. also, if you * don't specify any channels for a * category, the default category is used * instead. * config high-level configuration file * processing * parser low-level configuration file processing * queries what used to be called "query logging" * lame-servers messages like "Lame server on ..." * statistics * panic if the server has to shut itself * down due to an internal problem, it * logs the problem here (as well as * in the problem's native category) * update dynamic update * ncache negative caching * xfer-in zone transfers we're receiving * xfer-out zone transfers we're sending * db all database operations * eventlib debugging info from the event system * (see below) * packet dumps of packets received and sent * (see below) * notify the NOTIFY protocol * cname messages like "XX points to a CNAME" * security approved/unapproved requests * os operating system problems * insist consistency check failures * maintenance periodic maintenance * load zone loading * response-checks messages like * "Malformed response ..." * "wrong ans. name ..." * "unrelated additional info ..." * "invalid RR type ..." * "bad referral ..." */ category parser { syslog_errors; // you can log to as many channels default_syslog; // as you want }; category lame-servers { null; }; // don't log these at all channel moderate_debug { severity debug 3; // level 3 debugging to file file "foo"; // foo print-time yes; // timestamp log entries print-category yes; // print category name print-severity yes; // print severity level /* * Note that debugging must have been turned on either * on the command line or with a signal to get debugging * output (non-debugging output will still be written to * this channel). */ }; /* * If you don't want to see "zone XXXX loaded" messages but do * want to see any problems, you could do the following. */ channel no_info_messages { syslog; severity notice; }; category load { no_info_messages; }; /* * You can also define category "default"; it gets used when no * "category" statement has been given for a category. */ category default { default_syslog; moderate_debug; }; /* * If you don't define category default yourself, the default * default category will be used. It is * * category default { default_syslog; default_debug; }; */ /* * If you don't define category panic yourself, the default * panic category will be used. It is * * category panic { default_syslog; default_stderr; }; */ /* * Two categories, 'packet' and 'eventlib', are special. Only one * channel may be assigned to each of them, and it must be a * file channel. If you don't define them yourself, they default to * * category eventlib { default_debug; }; * * category packet { default_debug; }; */ }; include "filename"; // can't do within a statement